What does XDR mean?  What does it do?

eXtended Detection and Response (XDR) solutions integrate a set of products unifying control points, security data, analytics and operations into a single enterprise solution.  XDR support includes multiple telemetries such as endpoint, network, and cloud sensors.

XDR promises to provide technology integration between data sources and security operations to accelerate detection and response, while reducing engineering headaches.

What is the Respond Analyst, an XDR Engine?

The Respond Analyst XDR Engine is software that combines human reasoning with machine power to make complex decisions with 100% consistency.  The Respond Analyst includes:

    • Built-In security expertise
    • Continuous learning and adaptability
    • 100% consistency without human bias or fatigue
    • Enterprise scale at machine speed
    • The ability to processes millions of alerts in real-time

The Respond Analyst monitors your network 24×7 without the need to have people in the SOC around the clock.  The analysis, reasoning and decision making of a SOC analyst is built into our software, allowing us to automate monitoring, detection and investigation.  At volume and scale, the Respond Analyst applies consistent, in-depth analysis (60+ facts), without bias or fatigue when making decisions on escalating incidents for remediation.

How is the Respond Analyst different from other security solutions? 

The Respond Analyst learns about your environment and keeps tribal knowledge forever using this information in its decision making process.  It also learns collectively across our entire customer base, so its analysis improves continuously,  without you having to lift a finger.

The Respond Analyst is different from other security operations products in five primary ways:

  1. Intelligent:  Uses complex mathematical models and considers many facts at machine speed to find real incidents in your heterogeneous security data.
  2. Scalable: Scales to the world’s largest IT environments with delivery through the cloud.  Existing sensors do not need to be tuned down, so all data is factored into escalation decisions.
  3. Fast: Streams data in real time to find and scope incidents using integrated reasoning, significantly reducing attacker dwell time.  Right-clicking on an incident allows for immediate response to the issue.
  4. Simple: Deploys in hours, is highly scalable and constantly learns without tuning, coding or content writing.  That means no rules to write, scripts to program or big piles of data to label.
  5. Open:  Works with the broadest range of vendors, telemetries, and threat intelligence.  This enables you to choose the vendors of your preference and supports the data from sensors that you already have.
How is the Respond Analyst different from a SIEM?

SIEMs use rules to reduce the number of security events that security teams analyze – in other words, funneling the data to a capacity that a team can manage. The Respond Analyst flips that funnel using all available data to make better security decisions, faster. The Respond Analyst uses pre-built decision models, ready to work on day one – no training or rules writing required.

Output from SIEMs can be unreliable and inconsistent.  One reason for this is because SIEM rules are based on boolean, deterministic rule logic that are too simplistic to isolate and analyze real attacks to determine true (vs. false) positive. Additionally, SIEM rules and the people who write them, can vary in terms of quality resulting in inaccurate or incomplete analysis.  The Respond Analyst collects and analyzes data directly from security sensors, without additional rule logic applied replacing the SIEM’s rule logic for general security use cases.

We have implemented SOAR – how does the Respond Analyst fit?

SOAR platforms can be programmed by security engineering teams to automate analyst tasks, ie., data collection, correlation, enrichment and assisting in responding to low-level, repetitive security events. The Respond Analyst is pre-built software that automates the analysis, investigation and triage ‘at the front line’ of security decision-making, vetting all events before the SOAR needs to take action. The Respond Analyst is ready to work on day one, no programming required and elevates security teams to remediation and response activity.  The Respond Analyst integrates with SOAR systems sending incidents to the SOAR for remediation.

What’s the difference between a security “event” and an “incident”?

security event is a single occurrence that theoretically indicates suspicious activity. Sensors like firewalls, web proxy monitors, endpoint detection and response and end point protection solutions generate thousands to millions of individual events on a daily basis that may or may not be an indication of a threat. The Respond Analyst considers all available security events – analyzing, investigating and correlating them into security incidents that are scoped and prioritized for security teams to take action on. The Respond Analyst only escalates vetted security incidents and updates the scoped escalation additional related security data becomes available.

We use an MSSP for frontline monitoring and triage. How is the Respond Analyst different?

MSSP’s are challenged with the same ‘people in front of console’ as any internal SOC. MSSP’s are narrowing down the data their teams analyze using rules and sensor filters – that means that most likely less than 10% of your data is getting analyzed. Furthermore, MSSP’s escalate individual events that seem suspicious. Using the Respond Analyst with the same number of team members you have today, you improve your coverage and capacity and only spend time on vetted security incidents that have the data to back them up.

Where does the Respond Analyst fit in a SOC architecture?

The Respond Analyst Analyst Server reviews streaming data from network, endpoint and web filtering sensors.  This information is correlated with company context data and if a threat is detected, it is passed onto the cloud-based Integrated Reasoning Engine.  The incident is passed through Respond Software probability models hosted in the cloud with the added context of threat intelligence.  If the organization is using a SIEM solution, the incident can be passed to it and presented there.  Over time, the incident is scoped with any new events that are significant.  The incident is presented in the Respond Analyst console and passed to a security analyst who can provide feedback.  If the organization is using a SOAR or ticketing system, the incident can be sent there for remediation.

 

the-respond-analyst-an-xdr-engine-data-sheet

DOWNLOAD

The Respond Analyst, an XDR Engine Data Sheet

The Respond Analyst, an XDR Engine, is the first decision automation system for cybersecurity. With the speed, scale and consistency, the Respond Analyst is ready to go to work, out-of-the-box.